Main site subnet - 26.1.1.0/24

Branch subnet/printer(192.168.2.21) --192.168.2.0/24

Vpn pool 172.16.7.1 - 172.16.7.40

Crypto acl of main site:

Ip access-list extended NewJersey
10 permit ip 26.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
*20 permit ip 172.16.7.0 0.0.0.255 192.168.2.0 0.0.0.255*

Crypto acl of branch:

 ip access-list extended Denver
10 permit ip 192.168.2.0 0.0.0.255 26.1.1.0 0.0.0.255
*20 permit ip 192.168.2.0 0.0.0.255 172.16.7.0 0.0.0.255*

1. Added already 

2. Static route in branch is missing. I thought the crypto acl in the branch will send the return traffic.

Should I configure this in branch?

Ip route 172.16.7.0 0.0.0.255 26.1.1.1

3. Added already 

2. Static route in branch is missing. I thought the crypto acl in the branch will send the return traffic.

Should I configure this in branch?

Ip route 172.16.7.0 0.0.0.255 26.1.1.1

No need I check your config you already have defualt route toward interface config as crypto map.

If we finsh these points try from anyconnect ping to printer IP

MHM

So any update?

Did you check if anyconnect have add route or printer toward main site?

And more did main site have route toward branch for printer subnet ?

MHM

Hi Sir, I have attached the latest configs. There are no static routes. Just policy based site to site VPN. So, the subnets have been advertised in the crypto ACLs.

ip access-list standard VPNACL
 10 permit 26.1.1.0 0.0.0.255
 20 permit 192.168.2.0 0.0.0.255 <- remove this 

Under crypto ikev2 authorization policy <>

Add below

Route set remote ipv4 192.168.2.0 255.255.255.0

And in host route you mandatory need route to printer subnet

Ip route 192.168.2.0 255.255.255.0 g0/0/0 

The acl encrypt or not data not routing it.

MHM

Done.

But when I added 'Ip route 192.168.2.0 255.255.255.0 g0/0/0' to the main site router, communication between the main site and branch stopped working.

I am looking at the new configs, but want to respond sooner about the suggestion to add the static route Ip route 192.168.2.0 255.255.255.0 g0/0/0. When you configure a static route to specify the outbound interface but not the next hop (and when the outbound interface is Ethernet) then it requires that the router arp for EVERY remote address in that network. And it requires that the next hop device support proxy arp so that it will respond to the arp requests. Many ISP do not support proxy arp considering it a security risk. I suspect this is why communication failed when you added that static route.

I am not sure that the static route is needed (pending review of the config). But if it is needed then it needs to specify a next hop address.

I do not think that you need to add a static route for 172.16.7.0. And if you do add the static route the next hop should NOT be 26.1.1.1. The config of the branch does not have any information about 26.1.1.0 and so would use the default route. Any route with a next hop of 26.1.1.1 will not be used and the default would cover it.

Have you made modifications to OutsideToInsideACL?

If we are still trying to find a solution then perhaps it would be beneficial to post a fresh copy of the branch config (especially since there seems to be some confusion if the posted copy was the right one)?

Removing attachments. Let me know if you need them again

please check the configs.

they know how to reach each other in routing table ?

traceroute can help you where the packets dropping, if you are not NATiing.

I may be wrong..as I am a newbie.

But, since I have configured policy based site to site vpn, I don't think the routes will show as an output of the command show ip route. Please advise 

but atleast you will know when do traceroute the path it taking and failing for simple troubleshoot.

Thank you for the advice,leo.

In the crypto acl, I have permitted ip level access between the subnets. Shouldn't that take care of it?